A third-party file sharing system provided by Accellion called FTA has been illegally accessed through a zero-day vulnerability or previously unknown vulnerability. Singtel uses this system to share information internally as well as with external stakeholders and organizations. Other customers of this Accellion system were similarly impacted. The system has been taken offline. Singtel has commenced a detailed forensic and criminal investigation involving cyber security experts, the Cyber Security Agency of Singapore and the Police.
After Accellion first informed us of the vulnerability on 23 December, we had in a timely manner, made a series of patches they provided to plug the vulnerability – the first patch was applied on 24 December and the second and last patch was applied on 27 December. There were no patches issued by Accellion since. On 23 January, Accellion issued another advisory citing a new vulnerability which the 27 December patch was not effective against and we immediately took the system offline. On 30 January, Accellion provided another patch for the new vulnerability which triggered an anomaly alert when we tried to apply it. Accellion informed thereafter that our system could have been breached and this had likely occurred on 20 January. We continued to keep the system offline and activated cyber and criminal investigations which has confirmed the 20 January date. Given the complexity of the investigations, it was only confirmed on 9 February that files were taken.